diff --git a/Patches/LineageOS-17.1/android_frameworks_base/405515.patch b/Patches/LineageOS-17.1/android_frameworks_base/405515.patch new file mode 100644 index 00000000..ebe33039 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/405515.patch @@ -0,0 +1,32 @@ +From b0aee0b8b81d776e7c3234f7b340a856d138e4c4 Mon Sep 17 00:00:00 2001 +From: Dmitry Dementyev +Date: Thu, 11 Jul 2024 12:39:22 -0700 +Subject: [PATCH] Update AccountManagerService checkKeyIntent. + +Block intents with "content" data scheme. + +Bug: 349780950 +Test: manual +Flag: EXEMPT bugfix +(cherry picked from commit c1e79495a49bd4d3e380136fe4bca7ac1a9ed763) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59b2cc4447fbbdea58840f5b9d885d83241ac5f5) +Merged-In: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c +Change-Id: I8b23191d3d60036ca7ddf0ef7dcba6b38fb27b3c +--- + .../com/android/server/accounts/AccountManagerService.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java +index 37a68d3eec76c..fb79904a5b3a8 100644 +--- a/services/core/java/com/android/server/accounts/AccountManagerService.java ++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java +@@ -4812,6 +4812,9 @@ protected boolean checkKeyIntent(int authUid, Bundle bundle) { + if (resolveInfo == null) { + return false; + } ++ if ("content".equals(intent.getScheme())) { ++ return false; ++ } + ActivityInfo targetActivityInfo = resolveInfo.activityInfo; + int targetUid = targetActivityInfo.applicationInfo.uid; + PackageManagerInternal pmi = LocalServices.getService(PackageManagerInternal.class); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/405516.patch b/Patches/LineageOS-17.1/android_frameworks_base/405516.patch new file mode 100644 index 00000000..02036d0f --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/405516.patch @@ -0,0 +1,30 @@ +From f31bdd9c6658dfb932eea857f17cc2d21124031e Mon Sep 17 00:00:00 2001 +From: William Loh +Date: Mon, 3 Jun 2024 12:56:47 -0700 +Subject: [PATCH] Fail parseUri if end is missing + +Bug: 318683126 +Test: atest IntentTest +Flag: EXEMPT bugfix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b85bee508793e31d6fe37fc9cd4e8fa3787113cc) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5d754ed6dd1fd321746f5ec4742831ffd97a9967) +Merged-In: I5f619ced684ff505ce2b7408cd35dd3e9be89dea +Change-Id: I5f619ced684ff505ce2b7408cd35dd3e9be89dea +--- + core/java/android/content/Intent.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java +index 24d59a0826c85..4ea29407f352f 100644 +--- a/core/java/android/content/Intent.java ++++ b/core/java/android/content/Intent.java +@@ -7053,6 +7053,9 @@ public static Intent parseUri(String uri, @UriFlags int flags) throws URISyntaxE + int eq = uri.indexOf('=', i); + if (eq < 0) eq = i-1; + int semi = uri.indexOf(';', i); ++ if (semi < 0) { ++ throw new URISyntaxException(uri, "uri end not found"); ++ } + String value = eq < semi ? Uri.decode(uri.substring(eq + 1, semi)) : ""; + + // action diff --git a/Patches/LineageOS-17.1/android_frameworks_base/405517-backport.patch b/Patches/LineageOS-17.1/android_frameworks_base/405517-backport.patch new file mode 100644 index 00000000..d06b13c4 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/405517-backport.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mark Renouf +Date: Thu, 20 Jun 2024 16:37:42 -0400 +Subject: [PATCH] Prevent Sharing when FRP enforcement is in effect + +ADB command to trigger sharing: + +``` +adb shell 'am start -a android.intent.action.CHOOSER --eu android.intent.extra.INTENT "intent:#Intent;action=android.intent.action.SEND;type=text/plain;S.android.intent.extra.TEXT=Shared%20text;end"' +``` + +Bug: 327645387 +Test: manual; trigger FRP; attempt to open share sheet using adb +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5080af26387a18d5638d5a42eadfb8d4d700518c) +Merged-In: I1db78ab74babe71b516f601be35cf476b5e43271 +Change-Id: I1db78ab74babe71b516f601be35cf476b5e43271 +--- + core/java/com/android/internal/app/ChooserActivity.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java +index 2e17dce90240..300e1053cc16 100644 +--- a/core/java/com/android/internal/app/ChooserActivity.java ++++ b/core/java/com/android/internal/app/ChooserActivity.java +@@ -525,6 +525,14 @@ public class ChooserActivity extends ResolverActivity { + + @Override + protected void onCreate(Bundle savedInstanceState) { ++ if (Settings.Secure.getIntForUser(getContentResolver(), ++ Settings.Secure.SECURE_FRP_MODE, 0, ++ getUserId()) == 1) { ++ Log.e(TAG, "Sharing disabled due to active FRP lock."); ++ super.onCreate(savedInstanceState); ++ finish(); ++ return; ++ } + final long intentReceivedTime = System.currentTimeMillis(); + // This is the only place this value is being set. Effectively final. + mIsAppPredictorComponentAvailable = isAppPredictionServiceAvailable(); diff --git a/Patches/LineageOS-17.1/android_frameworks_base/405518.patch b/Patches/LineageOS-17.1/android_frameworks_base/405518.patch new file mode 100644 index 00000000..0e896ad4 --- /dev/null +++ b/Patches/LineageOS-17.1/android_frameworks_base/405518.patch @@ -0,0 +1,39 @@ +From 5fe06ebbd23db602bb46ba51a7e40711d7823be6 Mon Sep 17 00:00:00 2001 +From: Sumedh Sen +Date: Wed, 17 Jul 2024 01:00:55 +0000 +Subject: [PATCH] [RESTRICT AUTOMERGE] Check whether installerPackageName + contains only valid characters + +Bug: 341256391 +Bug: 307532206 +Test: sts-tradefed run sts-dynamic-develop -m CtsSecurityTestCases -t android.security.cts.CVE_2024_0044 +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9b850b6f68e63288f240439601723412324381bb) +Merged-In: I74a172c617d6f5b13f0708092156b657b73b5891 +Change-Id: I74a172c617d6f5b13f0708092156b657b73b5891 +--- + .../com/android/server/pm/PackageInstallerService.java | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/services/core/java/com/android/server/pm/PackageInstallerService.java b/services/core/java/com/android/server/pm/PackageInstallerService.java +index 7e67021e3b847..ab8cc4c8d6697 100644 +--- a/services/core/java/com/android/server/pm/PackageInstallerService.java ++++ b/services/core/java/com/android/server/pm/PackageInstallerService.java +@@ -580,12 +580,17 @@ private int createSessionInternal(SessionParams params, String installerPackageN + params.appLabel = TextUtils.trimToSize(params.appLabel, + PackageItemInfo.MAX_SAFE_LABEL_LENGTH); + +- // Validate installer package name. ++ // Validate requested installer package name. + if (params.installerPackageName != null && !isValidPackageName( + params.installerPackageName)) { + params.installerPackageName = null; + } + ++ // Validate installer package name. ++ if (installerPackageName != null && !isValidPackageName(installerPackageName)) { ++ installerPackageName = null; ++ } ++ + String requestedInstallerPackageName = + params.installerPackageName != null ? params.installerPackageName + : installerPackageName; diff --git a/Patches/LineageOS-17.1/android_libcore/405541.patch b/Patches/LineageOS-17.1/android_libcore/405541.patch new file mode 100644 index 00000000..664b71ec --- /dev/null +++ b/Patches/LineageOS-17.1/android_libcore/405541.patch @@ -0,0 +1,53 @@ +From 1e0f995b0b68d811d4225e73426c4c6350a506ad Mon Sep 17 00:00:00 2001 +From: Almaz Mingaleev +Date: Wed, 10 Jul 2024 13:38:35 +0100 +Subject: [PATCH] Do not accept zip files with invalid headers. + +According to Section 4.3.6 in [1] non-empty zip file starts with +local file header. 4.3.1 allows empty files, and in such case +file starts with "end of central directory record". + +This aligns ZipFile with libziparchive modulo empty zip files - +libziparchive rejects them. + +Tests are skipped because sc-dev branch uses ART module +prebuilts, but builds tests from sources which leads to presubmit +failures. + +Ignore-AOSP-First: b/309938635#comment1 + +[1] https://pkwaredownloads.blob.core.windows.net/pem/APPNOTE.txt + +Bug: 309938635 +Test: CtsLibcoreTestCases +Test: CtsLibcoreOjTestCases +(cherry picked from commit 288a44a1817707110cdf5a3a6ef8377c6e10cce2) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e428a99aa89a9dfbe93000171721ecbfc31b88) +Merged-In: I545cdd49ec3cc138331145f4716c8148662a478b +Change-Id: I545cdd49ec3cc138331145f4716c8148662a478b +--- + ojluni/src/main/native/zip_util.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ojluni/src/main/native/zip_util.c b/ojluni/src/main/native/zip_util.c +index aa9c5cede9e..16951a78ede 100644 +--- a/ojluni/src/main/native/zip_util.c ++++ b/ojluni/src/main/native/zip_util.c +@@ -878,6 +878,17 @@ ZIP_Put_In_Cache0(const char *name, ZFILE zfd, char **pmsg, jlong lastModified, + zip->locsig = JNI_TRUE; + else + zip->locsig = JNI_FALSE; ++ ++ // BEGIN Android-changed: do not accept files with invalid header. ++ if (GETSIG(errbuf) != LOCSIG && GETSIG(errbuf) != ENDSIG) { ++ if (pmsg) { ++ *pmsg = strdup("Entry at offset zero has invalid LFH signature."); ++ } ++ ZFILE_Close(zfd); ++ freeZip(zip); ++ return NULL; ++ } ++ // END Android-changed: do not accept files with invalid header. + } + + // This lseek is safe because it happens during construction of the ZipFile diff --git a/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/405540.patch b/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/405540.patch new file mode 100644 index 00000000..6a9e2285 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_Bluetooth/405540.patch @@ -0,0 +1,84 @@ +From 6799e4b038c33ce3fd175749ebdea69379a5489f Mon Sep 17 00:00:00 2001 +From: Himanshu Rawat +Date: Mon, 8 Apr 2024 19:44:45 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Disallow unexpected incoming HID + connections 2/2 + +HID profile accepted any new incoming HID connection. Even when the +connection policy disabled HID connection, remote devices could initiate +HID connection. +This change ensures that incoming HID connection are accepted only if +application was interested in that HID connection. +This vulnerarbility no longer exists on the main because of feature +request b/324093729. + +Test: Manual | Pair and connect a HID device, disable HID connection +from Bluetooth device setting, attempt to connect from the HID device. +Bug: 308429049 +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fc87e65eb3d70f051e2902d3e81ce6587ab1a96) +Merged-In: I1d7e886b1045d026f96c8274aca86dc499f87777 +Change-Id: I1d7e886b1045d026f96c8274aca86dc499f87777 +--- + jni/com_android_bluetooth_hid_host.cpp | 8 +++++--- + src/com/android/bluetooth/hid/HidHostService.java | 7 +++++-- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/jni/com_android_bluetooth_hid_host.cpp b/jni/com_android_bluetooth_hid_host.cpp +index cab5e3361..22c7dcfe8 100644 +--- a/jni/com_android_bluetooth_hid_host.cpp ++++ b/jni/com_android_bluetooth_hid_host.cpp +@@ -284,7 +284,8 @@ static jboolean connectHidNative(JNIEnv* env, jobject object, + } + + static jboolean disconnectHidNative(JNIEnv* env, jobject object, +- jbyteArray address) { ++ jbyteArray address, ++ jboolean reconnect_allowed) { + jbyte* addr; + jboolean ret = JNI_TRUE; + if (!sBluetoothHidInterface) return JNI_FALSE; +@@ -295,7 +296,8 @@ static jboolean disconnectHidNative(JNIEnv* env, jobject object, + return JNI_FALSE; + } + +- bt_status_t status = sBluetoothHidInterface->disconnect((RawAddress*)addr); ++ bt_status_t status = ++ sBluetoothHidInterface->disconnect((RawAddress*)addr, reconnect_allowed); + if (status != BT_STATUS_SUCCESS) { + ALOGE("Failed disconnect hid channel, status: %d", status); + ret = JNI_FALSE; +@@ -511,7 +513,7 @@ static JNINativeMethod sMethods[] = { + {"initializeNative", "()V", (void*)initializeNative}, + {"cleanupNative", "()V", (void*)cleanupNative}, + {"connectHidNative", "([B)Z", (void*)connectHidNative}, +- {"disconnectHidNative", "([B)Z", (void*)disconnectHidNative}, ++ {"disconnectHidNative", "([BZ)Z", (void*)disconnectHidNative}, + {"getProtocolModeNative", "([B)Z", (void*)getProtocolModeNative}, + {"virtualUnPlugNative", "([B)Z", (void*)virtualUnPlugNative}, + {"setProtocolModeNative", "([BB)Z", (void*)setProtocolModeNative}, +diff --git a/src/com/android/bluetooth/hid/HidHostService.java b/src/com/android/bluetooth/hid/HidHostService.java +index 10d414d46..ed35c2908 100644 +--- a/src/com/android/bluetooth/hid/HidHostService.java ++++ b/src/com/android/bluetooth/hid/HidHostService.java +@@ -161,7 +161,10 @@ public void handleMessage(Message msg) { + break; + case MESSAGE_DISCONNECT: { + BluetoothDevice device = (BluetoothDevice) msg.obj; +- if (!disconnectHidNative(Utils.getByteAddress(device))) { ++ int connectionPolicy = getConnectionPolicy(device); ++ boolean reconnectAllowed = ++ connectionPolicy == BluetoothProfile.CONNECTION_POLICY_ALLOWED; ++ if (!disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed)) { + broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTING); + broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTED); + break; +@@ -934,7 +937,7 @@ public void dump(StringBuilder sb) { + + private native boolean connectHidNative(byte[] btAddress); + +- private native boolean disconnectHidNative(byte[] btAddress); ++ private native boolean disconnectHidNative(byte[] btAddress, boolean reconnectAllowed); + + private native boolean getProtocolModeNative(byte[] btAddress); + diff --git a/Patches/LineageOS-17.1/android_packages_apps_Settings/405534.patch b/Patches/LineageOS-17.1/android_packages_apps_Settings/405534.patch new file mode 100644 index 00000000..7f50d430 --- /dev/null +++ b/Patches/LineageOS-17.1/android_packages_apps_Settings/405534.patch @@ -0,0 +1,52 @@ +From da6ee7b698b7d4c4cbe56c70027904268b72d0f1 Mon Sep 17 00:00:00 2001 +From: Yiling Chuang +Date: Mon, 8 Jul 2024 03:09:50 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE FRP bypass defense in App battery usage + page + +Before the setup flow completion, don't allow the app info page in App battery usage to be launched. + +Bug: 327748846 +Test: atest SettingsRoboTests + manual test +- factory reset + launch app battery usage app info via ADB during Setup -> verify app closes +Flag : EXEMPT bugfix + +(cherry picked from commit 419a6a907902a12a0f565c808fa70092004d6686) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:62b0014ed6e69b0abc48a5c18b740f95bc5dc429) +Merged-In: I486820ca2afecc02729a56a3c531fb931c1907d0 +Change-Id: I486820ca2afecc02729a56a3c531fb931c1907d0 +--- + .../android/settings/fuelgauge/AdvancedPowerUsageDetail.java | 5 +++++ + .../settings/fuelgauge/AdvancedPowerUsageDetailTest.java | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java +index e8d5f3330f2..d17642053e7 100644 +--- a/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java ++++ b/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetail.java +@@ -210,6 +210,11 @@ public void onResume() { + initPreference(); + } + ++ @Override ++ protected boolean shouldSkipForInitialSUW() { ++ return true; ++ } ++ + @VisibleForTesting + void initHeader() { + final View appSnippet = mHeaderPreference.findViewById(R.id.entity_header); +diff --git a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java +index 8eeac8d26b0..37fa511beeb 100644 +--- a/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java ++++ b/tests/robotests/src/com/android/settings/fuelgauge/AdvancedPowerUsageDetailTest.java +@@ -395,4 +395,9 @@ public void testInitPreference_hasCorrectSummary() { + assertThat(mForegroundPreference.getSummary().toString()).isEqualTo("Used for 0 min"); + assertThat(mBackgroundPreference.getSummary().toString()).isEqualTo("Active for 0 min"); + } ++ ++ @Test ++ public void shouldSkipForInitialSUW_returnTrue() { ++ assertThat(mFragment.shouldSkipForInitialSUW()).isTrue(); ++ } + } diff --git a/Patches/LineageOS-17.1/android_system_bt/405536.patch b/Patches/LineageOS-17.1/android_system_bt/405536.patch new file mode 100644 index 00000000..d945ae1e --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/405536.patch @@ -0,0 +1,56 @@ +From 935b7a26fa502de27c0cd3c97a05381319e8f22c Mon Sep 17 00:00:00 2001 +From: Chris Manton +Date: Sun, 14 Mar 2021 09:52:19 -0700 +Subject: [PATCH] Add btif/include/btif_hh::btif_hh_status_text + +Toward loggable code + +Bug: 163134718 +Test: gd/cert/run +Tag: #refactor +BYPASS_LONG_LINES_REASON: Bluetooth likes 120 lines + +Change-Id: Iab6a4f33a3e498c33f4870abc5abd59e073d03f2 +--- + btif/include/btif_hh.h | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h +index b71d347c1a7..f33598d2f19 100644 +--- a/btif/include/btif_hh.h ++++ b/btif/include/btif_hh.h +@@ -46,7 +46,7 @@ + * Type definitions and return values + ******************************************************************************/ + +-typedef enum { ++typedef enum : unsigned { + BTIF_HH_DISABLED = 0, + BTIF_HH_ENABLED, + BTIF_HH_DISABLING, +@@ -56,6 +56,25 @@ typedef enum { + BTIF_HH_DEV_DISCONNECTED + } BTIF_HH_STATUS; + ++#define CASE_RETURN_TEXT(code) \ ++ case code: \ ++ return #code ++ ++inline std::string btif_hh_status_text(const BTIF_HH_STATUS& status) { ++ switch (status) { ++ CASE_RETURN_TEXT(BTIF_HH_DISABLED); ++ CASE_RETURN_TEXT(BTIF_HH_ENABLED); ++ CASE_RETURN_TEXT(BTIF_HH_DISABLING); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_UNKNOWN); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTING); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTED); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_DISCONNECTED); ++ default: ++ return std::string("UNKNOWN[%hhu]", status); ++ } ++} ++#undef CASE_RETURN_TEXT ++ + typedef struct { + bthh_connection_state_t dev_status; + uint8_t dev_handle; diff --git a/Patches/LineageOS-17.1/android_system_bt/405537.patch b/Patches/LineageOS-17.1/android_system_bt/405537.patch new file mode 100644 index 00000000..158a347e --- /dev/null +++ b/Patches/LineageOS-17.1/android_system_bt/405537.patch @@ -0,0 +1,369 @@ +From 1017cfa02f11db8d077d5d7a32dd46da7c8b050b Mon Sep 17 00:00:00 2001 +From: Himanshu Rawat +Date: Mon, 8 Apr 2024 19:42:21 +0000 +Subject: [PATCH] [BACKPORT] Disallow unexpected incoming HID connections 1/2 + +HID profile accepted any new incoming HID connection. Even when the +connection policy disabled HID connection, remote devices could initiate +HID connection. +This change ensures that incoming HID connection are accepted only if +application was interested in that HID connection. +This vulnerarbility no longer exists on the main because of feature +request b/324093729. + +Test: Manual | Pair and connect a HID device, disable HID connection +from Bluetooth device setting, attempt to connect from the HID device. +Bug: 308429049 +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:18c635ad7923f5c26d6cd4cf7f7c66b2fa02462b) +Merged-In: I6e9db983e752dd498625078c13b736cd4c668806 +Change-Id: I6e9db983e752dd498625078c13b736cd4c668806 +--- + btif/include/btif_hh.h | 4 +- + btif/include/btif_storage.h | 23 ++++++++++ + btif/src/btif_hh.cc | 87 ++++++++++++++++++++++++++++++++++--- + btif/src/btif_storage.cc | 53 +++++++++++++++++++++- + include/hardware/bt_hh.h | 2 +- + 5 files changed, 161 insertions(+), 8 deletions(-) + +diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h +index f33598d2f19..f93341d89f1 100644 +--- a/btif/include/btif_hh.h ++++ b/btif/include/btif_hh.h +@@ -97,6 +97,7 @@ typedef struct { + uint8_t dev_handle; + RawAddress bd_addr; + tBTA_HH_ATTR_MASK attr_mask; ++ bool reconnect_allowed; + } btif_hh_added_device_t; + + /** +@@ -122,7 +123,8 @@ extern btif_hh_cb_t btif_hh_cb; + extern btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle); + extern void btif_hh_remove_device(RawAddress bd_addr); + extern bool btif_hh_add_added_dev(const RawAddress& bda, +- tBTA_HH_ATTR_MASK attr_mask); ++ tBTA_HH_ATTR_MASK attr_mask, ++ bool reconnect_allowed); + extern bt_status_t btif_hh_virtual_unplug(const RawAddress* bd_addr); + extern void btif_hh_disconnect(RawAddress* bd_addr); + extern void btif_hh_setreport(btif_hh_device_t* p_dev, +diff --git a/btif/include/btif_storage.h b/btif/include/btif_storage.h +index 1c1163d1428..362ffdc21bb 100644 +--- a/btif/include/btif_storage.h ++++ b/btif/include/btif_storage.h +@@ -178,6 +178,29 @@ bt_status_t btif_storage_remove_bonded_device(const RawAddress* remote_bd_addr); + ******************************************************************************/ + bt_status_t btif_storage_load_bonded_devices(void); + ++/******************************************************************************* ++ * ++ * Function btif_storage_set_hid_connection_policy ++ * ++ * Description Stores connection policy info in nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr, ++ bool reconnect_allowed); ++/******************************************************************************* ++ * ++ * Function btif_storage_get_hid_connection_policy ++ * ++ * Description get connection policy info from nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr, ++ bool* reconnect_allowed); ++ + /******************************************************************************* + * + * Function btif_storage_add_hid_device_info +diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc +index 97479e040ba..25fb151d260 100644 +--- a/btif/src/btif_hh.cc ++++ b/btif/src/btif_hh.cc +@@ -42,6 +42,7 @@ + #include "btif_storage.h" + #include "btif_util.h" + #include "l2c_api.h" ++#include "main/shim/dumpsys.h" + #include "osi/include/log.h" + #include "osi/include/osi.h" + +@@ -334,6 +335,24 @@ btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle) { + return NULL; + } + ++/******************************************************************************* ++ * ++ * Function btif_hh_find_added_dev ++ * ++ * Description Return the added device pointer of the specified address ++ * ++ * Returns Added device entry ++ ******************************************************************************/ ++btif_hh_added_device_t* btif_hh_find_added_dev(const RawAddress& addr) { ++ for (int i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) { ++ btif_hh_added_device_t* added_dev = &btif_hh_cb.added_devices[i]; ++ if (added_dev->bd_addr == addr) { ++ return added_dev; ++ } ++ } ++ return nullptr; ++} ++ + /******************************************************************************* + * + * Function btif_hh_find_dev_by_bda +@@ -419,7 +438,8 @@ void btif_hh_start_vup_timer(const RawAddress* bd_addr) { + * + * Returns true if add successfully, otherwise false. + ******************************************************************************/ +-bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) { ++bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask, ++ bool reconnect_allowed) { + int i; + for (i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) { + if (btif_hh_cb.added_devices[i].bd_addr == bda) { +@@ -433,6 +453,7 @@ bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) { + btif_hh_cb.added_devices[i].bd_addr = bda; + btif_hh_cb.added_devices[i].dev_handle = BTA_HH_INVALID_HANDLE; + btif_hh_cb.added_devices[i].attr_mask = attr_mask; ++ btif_hh_cb.added_devices[i].reconnect_allowed = reconnect_allowed; + return true; + } + } +@@ -712,6 +733,23 @@ void btif_hh_getreport(btif_hh_device_t* p_dev, bthh_report_type_t r_type, + * + ****************************************************************************/ + ++static bool btif_hh_connection_allowed(const RawAddress& bda) { ++ /* Accept connection only if reconnection is allowed for the known device, or ++ * outgoing connection was requested */ ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(bda); ++ if (added_dev != nullptr && added_dev->reconnect_allowed) { ++ LOG_VERBOSE(LOG_TAG, "Connection allowed %s", PRIVATE_ADDRESS(bda)); ++ return true; ++ } else if (btif_hh_cb.pending_conn_address == bda) { ++ LOG_VERBOSE(LOG_TAG, "Device connection was pending for: %s, status: %s", ++ PRIVATE_ADDRESS(bda), ++ btif_hh_status_text(btif_hh_cb.status).c_str()); ++ return true; ++ } ++ ++ return false; ++} ++ + /******************************************************************************* + * + * Function btif_hh_upstreams_evt +@@ -770,9 +808,26 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->status); + break; + +- case BTA_HH_OPEN_EVT: ++ case BTA_HH_OPEN_EVT: { + BTIF_TRACE_WARNING("%s: BTA_HH_OPN_EVT: handle=%d, status =%d", __func__, + p_data->conn.handle, p_data->conn.status); ++ ++ if (!btif_hh_connection_allowed(p_data->conn.bda)) { ++ LOG_WARN(LOG_TAG, "Reject Incoming HID Connection, device: %s", ++ PRIVATE_ADDRESS(p_data->conn.bda)); ++ btif_hh_device_t* p_dev = ++ btif_hh_find_connected_dev_by_handle(p_data->conn.handle); ++ if (p_dev != nullptr) { ++ p_dev->dev_status = BTHH_CONN_STATE_DISCONNECTED; ++ } ++ ++ btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED; ++ BTA_HhClose(p_data->conn.handle); ++ HAL_CBACK(bt_hh_callbacks, connection_state_cb, &p_data->conn.bda, ++ BTHH_CONN_STATE_DISCONNECTED); ++ return; ++ } ++ + btif_hh_cb.pending_conn_address = RawAddress::kEmpty; + if (p_data->conn.status == BTA_HH_OK) { + p_dev = btif_hh_find_connected_dev_by_handle(p_data->conn.handle); +@@ -831,6 +886,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED; + } + break; ++ } + + case BTA_HH_CLOSE_EVT: + BTIF_TRACE_DEBUG("BTA_HH_CLOSE_EVT: status = %d, handle = %d", +@@ -983,7 +1039,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->dscp_info.version, + p_data->dscp_info.ctry_code, len, + p_data->dscp_info.descriptor.dsc_list); +- if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask)) { ++ if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask, true)) { + tBTA_HH_DEV_DSCP_INFO dscp_info; + bt_status_t ret; + btif_hh_copy_hid_info(&dscp_info, &p_data->dscp_info); +@@ -999,6 +1055,8 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->dscp_info.ssr_min_tout, len, + p_data->dscp_info.descriptor.dsc_list); + ++ btif_storage_set_hid_connection_policy(p_dev->bd_addr, true); ++ + ASSERTC(ret == BT_STATUS_SUCCESS, "storing hid info failed", ret); + BTIF_TRACE_WARNING("BTA_HH_GET_DSCP_EVT: Called add device"); + +@@ -1280,6 +1338,13 @@ static bt_status_t init(bthh_callbacks_t* callbacks) { + ******************************************************************************/ + static bt_status_t connect(RawAddress* bd_addr) { + if (btif_hh_cb.status != BTIF_HH_DEV_CONNECTING) { ++ /* If the device was already added, ensure that reconnections are allowed */ ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr); ++ if (added_dev != nullptr && !added_dev->reconnect_allowed) { ++ added_dev->reconnect_allowed = true; ++ btif_storage_set_hid_connection_policy(*bd_addr, true); ++ } ++ + btif_transfer_context(btif_hh_handle_evt, BTIF_HH_CONNECT_REQ_EVT, + (char*)bd_addr, sizeof(RawAddress), NULL); + return BT_STATUS_SUCCESS; +@@ -1296,7 +1361,7 @@ static bt_status_t connect(RawAddress* bd_addr) { + * Returns bt_status_t + * + ******************************************************************************/ +-static bt_status_t disconnect(RawAddress* bd_addr) { ++static bt_status_t disconnect(RawAddress* bd_addr, bool reconnect_allowed) { + CHECK_BTHH_INIT(); + BTIF_TRACE_EVENT("BTHH: %s", __func__); + btif_hh_device_t* p_dev; +@@ -1306,6 +1371,17 @@ static bt_status_t disconnect(RawAddress* bd_addr) { + btif_hh_cb.status); + return BT_STATUS_FAIL; + } ++ ++ if (!reconnect_allowed) { ++ LOG_INFO(LOG_TAG, "Incoming reconnections disabled for device %s", ++ PRIVATE_ADDRESS((*bd_addr))); ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr); ++ if (added_dev != nullptr && added_dev->reconnect_allowed) { ++ added_dev->reconnect_allowed = false; ++ btif_storage_set_hid_connection_policy(added_dev->bd_addr, false); ++ } ++ } ++ + p_dev = btif_hh_find_connected_dev_by_bda(*bd_addr); + if (p_dev != NULL) { + return btif_transfer_context(btif_hh_handle_evt, BTIF_HH_DISCONNECT_REQ_EVT, +@@ -1437,9 +1513,10 @@ static bt_status_t set_info(RawAddress* bd_addr, bthh_hid_info_t hid_info) { + (uint8_t*)osi_malloc(dscp_info.descriptor.dl_len); + memcpy(dscp_info.descriptor.dsc_list, &(hid_info.dsc_list), hid_info.dl_len); + +- if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask)) { ++ if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask, true)) { + BTA_HhAddDev(*bd_addr, hid_info.attr_mask, hid_info.sub_class, + hid_info.app_id, dscp_info); ++ btif_storage_set_hid_connection_policy(*bd_addr, true); + } + + osi_free_and_reset((void**)&dscp_info.descriptor.dsc_list); +diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc +index 95e4ef07150..8077ae55547 100644 +--- a/btif/src/btif_storage.cc ++++ b/btif/src/btif_storage.cc +@@ -83,6 +83,8 @@ using bluetooth::Uuid; + #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE" + #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout" + ++#define BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED "HidReConnectAllowed" ++ + /* This is a local property to add a device found */ + #define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF + +@@ -1323,6 +1325,50 @@ bt_status_t btif_storage_get_remote_addr_type(const RawAddress* remote_bd_addr, + btif_config_get_int(remote_bd_addr->ToString(), "AddrType", addr_type); + return ret ? BT_STATUS_SUCCESS : BT_STATUS_FAIL; + } ++ ++/******************************************************************************* ++ * ++ * Function btif_storage_set_hid_connection_policy ++ * ++ * Description Stores connection policy info in nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr, ++ bool reconnect_allowed) { ++ std::string bdstr = addr.ToString(); ++ ++ if (btif_config_set_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, ++ reconnect_allowed)) { ++ return BT_STATUS_SUCCESS; ++ } else { ++ return BT_STATUS_FAIL; ++ } ++} ++ ++/******************************************************************************* ++ * ++ * Function btif_storage_get_hid_connection_policy ++ * ++ * Description get connection policy info from nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr, ++ bool* reconnect_allowed) { ++ std::string bdstr = addr.ToString(); ++ ++ // For backward compatibility, assume that the reconnection is allowed in the ++ // absence of the key ++ int value = 1; ++ btif_config_get_int(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, &value); ++ *reconnect_allowed = (value != 0); ++ ++ return BT_STATUS_SUCCESS; ++} ++ + /******************************************************************************* + * + * Function btif_storage_add_hid_device_info +@@ -1425,8 +1471,12 @@ bt_status_t btif_storage_load_bonded_hid_info(void) { + + RawAddress bd_addr; + RawAddress::FromString(name, bd_addr); ++ ++ bool reconnect_allowed = false; ++ btif_storage_get_hid_connection_policy(bd_addr, &reconnect_allowed); ++ + // add extracted information to BTA HH +- if (btif_hh_add_added_dev(bd_addr, attr_mask)) { ++ if (btif_hh_add_added_dev(bd_addr, attr_mask, reconnect_allowed)) { + BTA_HhAddDev(bd_addr, attr_mask, sub_class, app_id, dscp_info); + } + } +@@ -1458,6 +1508,7 @@ bt_status_t btif_storage_remove_hid_info(RawAddress* remote_bd_addr) { + btif_config_remove(bdstr, "HidSSRMaxLatency"); + btif_config_remove(bdstr, "HidSSRMinTimeout"); + btif_config_remove(bdstr, "HidDescriptor"); ++ btif_config_remove(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED); + btif_config_save(); + return BT_STATUS_SUCCESS; + } +diff --git a/include/hardware/bt_hh.h b/include/hardware/bt_hh.h +index b87b129bb12..923c6279216 100644 +--- a/include/hardware/bt_hh.h ++++ b/include/hardware/bt_hh.h +@@ -154,7 +154,7 @@ typedef struct { + bt_status_t (*connect)(RawAddress* bd_addr); + + /** dis-connect from hid device */ +- bt_status_t (*disconnect)(RawAddress* bd_addr); ++ bt_status_t (*disconnect)(RawAddress* bd_addr, bool reconnect_allowed); + + /** Virtual UnPlug (VUP) the specified HID device */ + bt_status_t (*virtual_unplug)(RawAddress* bd_addr); diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/405585.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/405585.patch new file mode 100644 index 00000000..8536e443 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_packages_apps_Bluetooth/405585.patch @@ -0,0 +1,97 @@ +From 0b906b1eef2156110bb753272fe133c096eb371b Mon Sep 17 00:00:00 2001 +From: Himanshu Rawat +Date: Mon, 8 Apr 2024 19:44:45 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Disallow unexpected incoming HID + connections 2/2 + +HID profile accepted any new incoming HID connection. Even when the +connection policy disabled HID connection, remote devices could initiate +HID connection. +This change ensures that incoming HID connection are accepted only if +application was interested in that HID connection. +This vulnerarbility no longer exists on the main because of feature +request b/324093729. + +Test: Manual | Pair and connect a HID device, disable HID connection +from Bluetooth device setting, attempt to connect from the HID device. +Bug: 308429049 +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5fc87e65eb3d70f051e2902d3e81ce6587ab1a96) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6d9a002091d88009db9e9de43f690d3d9fee15a0) +Merged-In: I1d7e886b1045d026f96c8274aca86dc499f87777 +Change-Id: I1d7e886b1045d026f96c8274aca86dc499f87777 +--- + jni/com_android_bluetooth_hid_host.cpp | 8 +++++--- + src/com/android/bluetooth/hid/HidHostService.java | 12 +++++++++--- + 2 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/jni/com_android_bluetooth_hid_host.cpp b/jni/com_android_bluetooth_hid_host.cpp +index b8f4d6530..e4c885b3e 100644 +--- a/jni/com_android_bluetooth_hid_host.cpp ++++ b/jni/com_android_bluetooth_hid_host.cpp +@@ -285,7 +285,8 @@ static jboolean connectHidNative(JNIEnv* env, jobject object, + } + + static jboolean disconnectHidNative(JNIEnv* env, jobject object, +- jbyteArray address) { ++ jbyteArray address, ++ jboolean reconnect_allowed) { + jbyte* addr; + jboolean ret = JNI_TRUE; + if (!sBluetoothHidInterface) return JNI_FALSE; +@@ -296,7 +297,8 @@ static jboolean disconnectHidNative(JNIEnv* env, jobject object, + return JNI_FALSE; + } + +- bt_status_t status = sBluetoothHidInterface->disconnect((RawAddress*)addr); ++ bt_status_t status = ++ sBluetoothHidInterface->disconnect((RawAddress*)addr, reconnect_allowed); + if (status != BT_STATUS_SUCCESS) { + ALOGE("Failed disconnect hid channel, status: %d", status); + ret = JNI_FALSE; +@@ -512,7 +514,7 @@ static JNINativeMethod sMethods[] = { + {"initializeNative", "()V", (void*)initializeNative}, + {"cleanupNative", "()V", (void*)cleanupNative}, + {"connectHidNative", "([B)Z", (void*)connectHidNative}, +- {"disconnectHidNative", "([B)Z", (void*)disconnectHidNative}, ++ {"disconnectHidNative", "([BZ)Z", (void*)disconnectHidNative}, + {"getProtocolModeNative", "([B)Z", (void*)getProtocolModeNative}, + {"virtualUnPlugNative", "([B)Z", (void*)virtualUnPlugNative}, + {"setProtocolModeNative", "([BB)Z", (void*)setProtocolModeNative}, +diff --git a/src/com/android/bluetooth/hid/HidHostService.java b/src/com/android/bluetooth/hid/HidHostService.java +index 4687bd6a1..0258f1fdd 100644 +--- a/src/com/android/bluetooth/hid/HidHostService.java ++++ b/src/com/android/bluetooth/hid/HidHostService.java +@@ -167,7 +167,10 @@ public void handleMessage(Message msg) { + break; + case MESSAGE_DISCONNECT: { + BluetoothDevice device = (BluetoothDevice) msg.obj; +- if (!disconnectHidNative(Utils.getByteAddress(device))) { ++ int connectionPolicy = getConnectionPolicy(device); ++ boolean reconnectAllowed = ++ connectionPolicy == BluetoothProfile.CONNECTION_POLICY_ALLOWED; ++ if (!disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed)) { + broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTING); + broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTED); + break; +@@ -192,7 +195,10 @@ public void handleMessage(Message msg) { + Log.d(TAG, "Incoming HID connection rejected"); + } + if (disconnectRemote(device)) { +- disconnectHidNative(Utils.getByteAddress(device)); ++ int connectionPolicy = getConnectionPolicy(device); ++ boolean reconnectAllowed = ++ connectionPolicy == BluetoothProfile.CONNECTION_POLICY_ALLOWED; ++ disconnectHidNative(Utils.getByteAddress(device), reconnectAllowed); + } else { + virtualUnPlugNative(Utils.getByteAddress(device)); + } +@@ -978,7 +984,7 @@ public void dump(StringBuilder sb) { + + private native boolean connectHidNative(byte[] btAddress); + +- private native boolean disconnectHidNative(byte[] btAddress); ++ private native boolean disconnectHidNative(byte[] btAddress, boolean reconnectAllowed); + + private native boolean getProtocolModeNative(byte[] btAddress); + diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/405583.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/405583.patch new file mode 100644 index 00000000..e810128f --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/405583.patch @@ -0,0 +1,56 @@ +From eb91d38c9e876c23d9a51ecc8bf9b55ad90c2c4d Mon Sep 17 00:00:00 2001 +From: Chris Manton +Date: Sun, 14 Mar 2021 09:52:19 -0700 +Subject: [PATCH] Add btif/include/btif_hh::btif_hh_status_text + +Toward loggable code + +Bug: 163134718 +Test: gd/cert/run +Tag: #refactor +BYPASS_LONG_LINES_REASON: Bluetooth likes 120 lines + +Change-Id: Iab6a4f33a3e498c33f4870abc5abd59e073d03f2 +--- + btif/include/btif_hh.h | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h +index 612b9f7c7..98dc33383 100644 +--- a/btif/include/btif_hh.h ++++ b/btif/include/btif_hh.h +@@ -54,7 +54,7 @@ + * Type definitions and return values + ******************************************************************************/ + +-typedef enum { ++typedef enum : unsigned { + BTIF_HH_DISABLED = 0, + BTIF_HH_ENABLED, + BTIF_HH_DISABLING, +@@ -64,6 +64,25 @@ typedef enum { + BTIF_HH_DEV_DISCONNECTED + } BTIF_HH_STATUS; + ++#define CASE_RETURN_TEXT(code) \ ++ case code: \ ++ return #code ++ ++inline std::string btif_hh_status_text(const BTIF_HH_STATUS& status) { ++ switch (status) { ++ CASE_RETURN_TEXT(BTIF_HH_DISABLED); ++ CASE_RETURN_TEXT(BTIF_HH_ENABLED); ++ CASE_RETURN_TEXT(BTIF_HH_DISABLING); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_UNKNOWN); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTING); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_CONNECTED); ++ CASE_RETURN_TEXT(BTIF_HH_DEV_DISCONNECTED); ++ default: ++ return std::string("UNKNOWN[%hhu]", status); ++ } ++} ++#undef CASE_RETURN_TEXT ++ + typedef struct { + bthh_connection_state_t dev_status; + uint8_t dev_handle; diff --git a/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/405584.patch b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/405584.patch new file mode 100644 index 00000000..f860a166 --- /dev/null +++ b/Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/405584.patch @@ -0,0 +1,363 @@ +From 0196deeccce43dc7fc5d8c4bfe94d2f24ad2d4b2 Mon Sep 17 00:00:00 2001 +From: Himanshu Rawat +Date: Mon, 8 Apr 2024 19:42:21 +0000 +Subject: [PATCH] RESTRICT AUTOMERGE Disallow unexpected incoming HID + connections 1/2 + +HID profile accepted any new incoming HID connection. Even when the +connection policy disabled HID connection, remote devices could initiate +HID connection. +This change ensures that incoming HID connection are accepted only if +application was interested in that HID connection. +This vulnerarbility no longer exists on the main because of feature +request b/324093729. + +Test: Manual | Pair and connect a HID device, disable HID connection +from Bluetooth device setting, attempt to connect from the HID device. +Bug: 308429049 +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:18c635ad7923f5c26d6cd4cf7f7c66b2fa02462b) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:674298968a36f54d049b385a2976afc29777d821) +Merged-In: I6e9db983e752dd498625078c13b736cd4c668806 +Change-Id: I6e9db983e752dd498625078c13b736cd4c668806 +--- + btif/include/btif_hh.h | 4 +- + btif/include/btif_storage.h | 23 ++++++++++ + btif/src/btif_hh.cc | 86 ++++++++++++++++++++++++++++++++++--- + btif/src/btif_storage.cc | 53 ++++++++++++++++++++++- + include/hardware/bt_hh.h | 2 +- + 5 files changed, 160 insertions(+), 8 deletions(-) + +diff --git a/btif/include/btif_hh.h b/btif/include/btif_hh.h +index 98dc33383..2aa03fddc 100644 +--- a/btif/include/btif_hh.h ++++ b/btif/include/btif_hh.h +@@ -113,6 +113,7 @@ typedef struct { + uint8_t dev_handle; + RawAddress bd_addr; + tBTA_HH_ATTR_MASK attr_mask; ++ bool reconnect_allowed; + } btif_hh_added_device_t; + + /** +@@ -137,7 +138,8 @@ extern btif_hh_cb_t btif_hh_cb; + extern btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle); + extern void btif_hh_remove_device(RawAddress bd_addr); + extern bool btif_hh_add_added_dev(const RawAddress& bda, +- tBTA_HH_ATTR_MASK attr_mask); ++ tBTA_HH_ATTR_MASK attr_mask, ++ bool reconnect_allowed); + extern bt_status_t btif_hh_virtual_unplug(const RawAddress* bd_addr); + extern void btif_hh_disconnect(RawAddress* bd_addr); + extern void btif_hh_service_registration(bool enable); +diff --git a/btif/include/btif_storage.h b/btif/include/btif_storage.h +index b1ada4db6..a32b7b8ff 100755 +--- a/btif/include/btif_storage.h ++++ b/btif/include/btif_storage.h +@@ -201,6 +201,29 @@ bt_status_t btif_storage_is_device_bonded(RawAddress *remote_bd_addr); + ******************************************************************************/ + bt_status_t btif_storage_load_bonded_devices(void); + ++/******************************************************************************* ++ * ++ * Function btif_storage_set_hid_connection_policy ++ * ++ * Description Stores connection policy info in nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr, ++ bool reconnect_allowed); ++/******************************************************************************* ++ * ++ * Function btif_storage_get_hid_connection_policy ++ * ++ * Description get connection policy info from nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr, ++ bool* reconnect_allowed); ++ + /******************************************************************************* + * + * Function btif_storage_add_hid_device_info +diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc +index aeaabc47d..4ad1537d6 100644 +--- a/btif/src/btif_hh.cc ++++ b/btif/src/btif_hh.cc +@@ -340,6 +340,24 @@ btif_hh_device_t* btif_hh_find_connected_dev_by_handle(uint8_t handle) { + return NULL; + } + ++/******************************************************************************* ++ * ++ * Function btif_hh_find_added_dev ++ * ++ * Description Return the added device pointer of the specified address ++ * ++ * Returns Added device entry ++ ******************************************************************************/ ++btif_hh_added_device_t* btif_hh_find_added_dev(const RawAddress& addr) { ++ for (int i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) { ++ btif_hh_added_device_t* added_dev = &btif_hh_cb.added_devices[i]; ++ if (added_dev->bd_addr == addr) { ++ return added_dev; ++ } ++ } ++ return nullptr; ++} ++ + /******************************************************************************* + * + * Function btif_hh_find_dev_by_bda +@@ -425,7 +443,8 @@ void btif_hh_start_vup_timer(const RawAddress* bd_addr) { + * + * Returns true if add successfully, otherwise false. + ******************************************************************************/ +-bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) { ++bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask, ++ bool reconnect_allowed) { + int i; + for (i = 0; i < BTIF_HH_MAX_ADDED_DEV; i++) { + if (btif_hh_cb.added_devices[i].bd_addr == bda) { +@@ -439,6 +458,7 @@ bool btif_hh_add_added_dev(const RawAddress& bda, tBTA_HH_ATTR_MASK attr_mask) { + btif_hh_cb.added_devices[i].bd_addr = bda; + btif_hh_cb.added_devices[i].dev_handle = BTA_HH_INVALID_HANDLE; + btif_hh_cb.added_devices[i].attr_mask = attr_mask; ++ btif_hh_cb.added_devices[i].reconnect_allowed = reconnect_allowed; + return true; + } + } +@@ -736,6 +756,23 @@ void btif_hh_getreport(btif_hh_device_t* p_dev, bthh_report_type_t r_type, + * + ****************************************************************************/ + ++static bool btif_hh_connection_allowed(const RawAddress& bda) { ++ /* Accept connection only if reconnection is allowed for the known device, or ++ * outgoing connection was requested */ ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(bda); ++ if (added_dev != nullptr && added_dev->reconnect_allowed) { ++ LOG_VERBOSE(LOG_TAG, "Connection allowed %s", bda.ToString().c_str()); ++ return true; ++ } else if (btif_hh_cb.pending_conn_address == bda) { ++ LOG_VERBOSE(LOG_TAG, "Device connection was pending for: %s, status: %s", ++ bda.ToString().c_str(), ++ btif_hh_status_text(btif_hh_cb.status).c_str()); ++ return true; ++ } ++ ++ return false; ++} ++ + /******************************************************************************* + * + * Function btif_hh_upstreams_evt +@@ -794,9 +831,26 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->status); + break; + +- case BTA_HH_OPEN_EVT: ++ case BTA_HH_OPEN_EVT: { + BTIF_TRACE_WARNING("%s: BTA_HH_OPN_EVT: handle=%d, status =%d", __func__, + p_data->conn.handle, p_data->conn.status); ++ ++ if (!btif_hh_connection_allowed(p_data->conn.bda)) { ++ LOG_WARN(LOG_TAG, "Reject Incoming HID Connection, device: %s", ++ p_data->conn.bda.ToString().c_str()); ++ btif_hh_device_t* p_dev = ++ btif_hh_find_connected_dev_by_handle(p_data->conn.handle); ++ if (p_dev != nullptr) { ++ p_dev->dev_status = BTHH_CONN_STATE_DISCONNECTED; ++ } ++ ++ btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED; ++ BTA_HhClose(p_data->conn.handle); ++ HAL_CBACK(bt_hh_callbacks, connection_state_cb, &p_data->conn.bda, ++ BTHH_CONN_STATE_DISCONNECTED); ++ return; ++ } ++ + btif_hh_cb.pending_conn_address = RawAddress::kEmpty; + if (p_data->conn.status == BTA_HH_OK) { + p_dev = btif_hh_find_connected_dev_by_handle(p_data->conn.handle); +@@ -853,6 +907,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + btif_hh_cb.status = (BTIF_HH_STATUS)BTIF_HH_DEV_DISCONNECTED; + } + break; ++ } + + case BTA_HH_CLOSE_EVT: + BTIF_TRACE_DEBUG("BTA_HH_CLOSE_EVT: status = %d, handle = %d", +@@ -1021,7 +1076,7 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + } + return; + } +- if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask)) { ++ if (btif_hh_add_added_dev(p_dev->bd_addr, p_dev->attr_mask, true)) { + tBTA_HH_DEV_DSCP_INFO dscp_info; + bt_status_t ret; + btif_hh_copy_hid_info(&dscp_info, p_data->h_d_info.dscp_info); +@@ -1037,6 +1092,8 @@ static void btif_hh_upstreams_evt(uint16_t event, char* p_param) { + p_data->h_d_info.dscp_info->ssr_min_tout, len, + p_data->h_d_info.dscp_info->descriptor.dsc_list); + ++ btif_storage_set_hid_connection_policy(p_dev->bd_addr, true); ++ + ASSERTC(ret == BT_STATUS_SUCCESS, "storing hid info failed", ret); + BTIF_TRACE_WARNING("BTA_HH_GET_DSCP_EVT: Called add device"); + +@@ -1334,6 +1391,13 @@ static bt_status_t connect(RawAddress* bd_addr) { + BTIF_TRACE_EVENT("%s Ignore connect request, device already connected", __func__); + return BT_STATUS_SUCCESS; + } else if (btif_hh_cb.status != BTIF_HH_DEV_CONNECTING) { ++ /* If the device was already added, ensure that reconnections are allowed */ ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr); ++ if (added_dev != nullptr && !added_dev->reconnect_allowed) { ++ added_dev->reconnect_allowed = true; ++ btif_storage_set_hid_connection_policy(*bd_addr, true); ++ } ++ + btif_transfer_context(btif_hh_handle_evt, BTIF_HH_CONNECT_REQ_EVT, + (char*)bd_addr, sizeof(RawAddress), NULL); + return BT_STATUS_SUCCESS; +@@ -1350,7 +1414,7 @@ static bt_status_t connect(RawAddress* bd_addr) { + * Returns bt_status_t + * + ******************************************************************************/ +-static bt_status_t disconnect(RawAddress* bd_addr) { ++static bt_status_t disconnect(RawAddress* bd_addr, bool reconnect_allowed) { + CHECK_BTHH_INIT(); + BTIF_TRACE_EVENT("BTHH: %s", __func__); + btif_hh_device_t* p_dev; +@@ -1360,6 +1424,17 @@ static bt_status_t disconnect(RawAddress* bd_addr) { + btif_hh_cb.status); + return BT_STATUS_FAIL; + } ++ ++ if (!reconnect_allowed) { ++ LOG_INFO(LOG_TAG, "Incoming reconnections disabled for device %s", ++ bd_addr->ToString().c_str()); ++ btif_hh_added_device_t* added_dev = btif_hh_find_added_dev(*bd_addr); ++ if (added_dev != nullptr && added_dev->reconnect_allowed) { ++ added_dev->reconnect_allowed = false; ++ btif_storage_set_hid_connection_policy(added_dev->bd_addr, false); ++ } ++ } ++ + p_dev = btif_hh_find_connected_dev_by_bda(*bd_addr); + if (p_dev != NULL) { + return btif_transfer_context(btif_hh_handle_evt, BTIF_HH_DISCONNECT_REQ_EVT, +@@ -1494,9 +1569,10 @@ static bt_status_t set_info(RawAddress* bd_addr, bthh_hid_info_t hid_info) { + (uint8_t*)osi_malloc(dscp_info.descriptor.dl_len); + memcpy(dscp_info.descriptor.dsc_list, &(hid_info.dsc_list), hid_info.dl_len); + +- if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask)) { ++ if (btif_hh_add_added_dev(*bd_addr, hid_info.attr_mask, true)) { + BTA_HhAddDev(*bd_addr, hid_info.attr_mask, hid_info.sub_class, + hid_info.app_id, dscp_info); ++ btif_storage_set_hid_connection_policy(*bd_addr, true); + } + + osi_free_and_reset((void**)&dscp_info.descriptor.dsc_list); +diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc +index d7a9cdf3c..0c40afd16 100644 +--- a/btif/src/btif_storage.cc ++++ b/btif/src/btif_storage.cc +@@ -88,6 +88,8 @@ using bluetooth::Uuid; + #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE" + #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout" + ++#define BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED "HidReConnectAllowed" ++ + /* This is a local property to add a device found */ + #define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF + +@@ -1486,6 +1488,50 @@ bt_status_t btif_storage_get_remote_addr_type(const RawAddress* remote_bd_addr, + addr_type); + return ret ? BT_STATUS_SUCCESS : BT_STATUS_FAIL; + } ++ ++/******************************************************************************* ++ * ++ * Function btif_storage_set_hid_connection_policy ++ * ++ * Description Stores connection policy info in nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_set_hid_connection_policy(const RawAddress& addr, ++ bool reconnect_allowed) { ++ std::string bdstr = addr.ToString(); ++ ++ if (btif_config_set_int(bdstr.c_str(), BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, ++ reconnect_allowed)) { ++ return BT_STATUS_SUCCESS; ++ } else { ++ return BT_STATUS_FAIL; ++ } ++} ++ ++/******************************************************************************* ++ * ++ * Function btif_storage_get_hid_connection_policy ++ * ++ * Description get connection policy info from nvram ++ * ++ * Returns BT_STATUS_SUCCESS ++ * ++ ******************************************************************************/ ++bt_status_t btif_storage_get_hid_connection_policy(const RawAddress& addr, ++ bool* reconnect_allowed) { ++ std::string bdstr = addr.ToString(); ++ ++ // For backward compatibility, assume that the reconnection is allowed in the ++ // absence of the key ++ int value = 1; ++ btif_config_get_int(bdstr.c_str(), BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED, &value); ++ *reconnect_allowed = (value != 0); ++ ++ return BT_STATUS_SUCCESS; ++} ++ + /******************************************************************************* + * + * Function btif_storage_add_hid_device_info +@@ -1585,8 +1631,12 @@ bt_status_t btif_storage_load_bonded_hid_info(void) { + (uint8_t*)dscp_info.descriptor.dsc_list, &len); + } + RawAddress::FromString(name, bd_addr); ++ ++ bool reconnect_allowed = false; ++ btif_storage_get_hid_connection_policy(bd_addr, &reconnect_allowed); ++ + // add extracted information to BTA HH +- if (btif_hh_add_added_dev(bd_addr, attr_mask)) { ++ if (btif_hh_add_added_dev(bd_addr, attr_mask, reconnect_allowed)) { + BTA_HhAddDev(bd_addr, attr_mask, sub_class, app_id, dscp_info); + } + } +@@ -1626,6 +1676,7 @@ bt_status_t btif_storage_remove_hid_info(RawAddress* remote_bd_addr) { + btif_config_remove(bdstr, "HidSSRMaxLatency"); + btif_config_remove(bdstr, "HidSSRMinTimeout"); + btif_config_remove(bdstr, "HidDescriptor"); ++ btif_config_remove(bdstr, BTIF_STORAGE_KEY_HID_RECONNECT_ALLOWED); + btif_config_save(); + return BT_STATUS_SUCCESS; + } +diff --git a/include/hardware/bt_hh.h b/include/hardware/bt_hh.h +index c39e3e5b8..c1247cb1c 100644 +--- a/include/hardware/bt_hh.h ++++ b/include/hardware/bt_hh.h +@@ -151,7 +151,7 @@ typedef struct { + bt_status_t (*connect)( RawAddress *bd_addr); + + /** dis-connect from hid device */ +- bt_status_t (*disconnect)( RawAddress *bd_addr ); ++ bt_status_t (*disconnect)( RawAddress *bd_addr, bool reconnect_allowed); + + /** Virtual UnPlug (VUP) the specified HID device */ + bt_status_t (*virtual_unplug)(RawAddress *bd_addr); diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 6a870a6b..0d458312 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -95,7 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) -sed -i 's/2023-02-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2024-09 +sed -i 's/2023-02-05/2024-10-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-10 fi; if enterAndClear "build/soong"; then @@ -328,6 +328,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/402604.patch"; #Q_asb_2024-08 B applyPatch "$DOS_PATCHES/android_frameworks_base/402605.patch"; #Q_asb_2024-08 Restrict USB poups while setup is in progress applyPatch "$DOS_PATCHES/android_frameworks_base/402606.patch"; #Q_asb_2024-08 Hide SAW subwindows applyPatch "$DOS_PATCHES/android_frameworks_base/403301.patch"; #Q_asb_2024-09 Sanitized uri scheme by removing scheme delimiter +applyPatch "$DOS_PATCHES/android_frameworks_base/405515.patch"; #R_asb_2024-10 Update AccountManagerService checkKeyIntent. +applyPatch "$DOS_PATCHES/android_frameworks_base/405516.patch"; #R_asb_2024-10 Fail parseUri if end is missing +applyPatch "$DOS_PATCHES/android_frameworks_base/405517-backport.patch"; #R_asb_2024-10 Prevent Sharing when FRP enforcement is in effect +applyPatch "$DOS_PATCHES/android_frameworks_base/405518.patch"; #R_asb_2024-10 Check whether installerPackageName contains only valid characters #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS) @@ -450,6 +454,7 @@ applyPatch "$DOS_PATCHES/android_hardware_qcom_audio/0001-Unused-sm8150.patch"; fi; if enterAndClear "libcore"; then +applyPatch "$DOS_PATCHES/android_libcore/405541.patch"; #R_asb_2024-10 Do not accept zip files with invalid headers. applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Based_Spawning-1.patch"; #Add exec-based spawning support (GrapheneOS) applyPatch "$DOS_PATCHES/android_libcore/0001-Exec_Based_Spawning-2.patch"; applyPatch "$DOS_PATCHES/android_libcore/0003-Network_Permission.patch"; #Expose the NETWORK permission (GrapheneOS) @@ -463,6 +468,7 @@ fi; if enterAndClear "packages/apps/Bluetooth"; then applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/378135.patch"; #Q_asb_2023-12 Fix UAF in ~CallbackEnv +applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/405540.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 2/2 #applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272652.patch"; #ten-bt-sbc-hd-dualchannel: SBC Dual Channel (SBC HD Audio) support (ValdikSS) #applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/272653.patch"; #ten-bt-sbc-hd-dualchannel: Assume optional codecs are supported if were supported previously (ValdikSS) applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/0001-constify_JNINativeMethod.patch"; #Constify JNINativeMethod tables (GrapheneOS) @@ -528,6 +534,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403302.patch"; #Q_asb_20 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403303.patch"; #Q_asb_2024-09 Replace getCallingActivity() with getLaunchedFromPackage() applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403304.patch"; #Q_asb_2024-09 Ignore fragment attr from ext authenticator resource applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403305.patch"; #Q_asb_2024-09 Restrict Settings Homepage prior to provisioning +applyPatch "$DOS_PATCHES/android_packages_apps_Settings/405534.patch"; #R_asb_2024-10 FRP bypass defense in App battery usage page git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS) applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969) @@ -668,6 +675,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/403314.patch"; #Q_asb_2024-09 Use btm applyPatch "$DOS_PATCHES/android_system_bt/403315.patch"; #Q_asb_2024-09 Add support for checking security downgrade applyPatch "$DOS_PATCHES/android_system_bt/403316.patch"; #Q_asb_2024-09 Disallow connect with Secure Connections downgrade applyPatch "$DOS_PATCHES/android_system_bt/403317.patch"; #Q_asb_2024-09 Disallow connect with key length downgrade +applyPatch "$DOS_PATCHES/android_system_bt/405536.patch"; #R_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text +applyPatch "$DOS_PATCHES/android_system_bt/405537.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 1/2 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS) #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) @@ -749,6 +758,7 @@ fi; if enterAndClear "vendor/qcom/opensource/commonsys/packages/apps/Bluetooth"; then applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_packages_apps_Bluetooth/378136.patch"; #Q_asb_2023-12 Fix UAF in ~CallbackEnv +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_packages_apps_Bluetooth/405585.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 2/2 fi; if enterAndClear "vendor/qcom/opensource/commonsys/system/bt"; then @@ -791,6 +801,8 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403324.patch"; applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403325.patch"; #Q_asb_2024-09 Add support for checking security downgrade applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403326.patch"; #Q_asb_2024-09 Disallow connect with Secure Connections downgrade applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403327.patch"; #Q_asb_2024-09 Disallow connect with key length downgrade +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/405583.patch"; #R_asb_2024-10 Add btif/include/btif_hh::btif_hh_status_text +applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/405584.patch"; #R_asb_2024-10 Disallow unexpected incoming HID connections 1/2 fi; if enterAndClear "vendor/lineage"; then